CVE-2025-31485
📋 TL;DR
This vulnerability in API Platform Core allows GraphQL property grants to be cached with incorrect objects, potentially leading to authorization bypass. It affects all systems running API Platform Core versions before 4.0.22 and 3.4.17. The issue occurs when the ItemNormalizer fails to prevent caching despite the isCacheKeySafe() method's intent.
💻 Affected Systems
- API Platform Core
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could bypass GraphQL authorization controls, accessing sensitive data or performing unauthorized operations through cached property grants.
Likely Case
Authorization bypass leading to unauthorized data access through GraphQL queries, potentially exposing sensitive information.
If Mitigated
Limited impact with proper authentication and authorization layers, but still presents a security risk.
🎯 Exploit Status
Exploitation requires understanding of GraphQL queries and property grants. No public exploit code available at this time.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.0.22 or 3.4.17
Vendor Advisory: https://github.com/api-platform/core/security/advisories/GHSA-428q-q3vv-3fq3
Restart Required: Yes
Instructions:
1. Update API Platform Core to version 4.0.22 (for v4) or 3.4.17 (for v3). 2. Run composer update api-platform/core. 3. Clear application cache. 4. Restart web server/application.
🔧 Temporary Workarounds
Disable GraphQL Caching
allTemporarily disable GraphQL caching to prevent the vulnerability while waiting to patch
Set api_platform.graphql.cache.enabled: false in configuration
🧯 If You Can't Patch
- Implement additional authorization checks at application layer
- Disable GraphQL functionality entirely if not required
🔍 How to Verify
Check if Vulnerable:
Check composer.json for api-platform/core version. If version is below 4.0.22 (for v4) or 3.4.17 (for v3), system is vulnerable.Check Version:
composer show api-platform/core | grep versionsVerify Fix Applied:
Verify api-platform/core version is 4.0.22 or higher (v4) or 3.4.17 or higher (v3) after update.📡 Detection & Monitoring
Log Indicators:
- Unusual GraphQL query patterns
- Authorization failures for cached queries
- Cache-related errors in GraphQL logs
Network Indicators:
- Repeated GraphQL queries with similar patterns attempting to bypass authorization
SIEM Query:
source="api-platform" AND ("GraphQL" OR "cache") AND ("authorization" OR "permission")🔗 References
- https://github.com/api-platform/core/commit/7af65aad13037d7649348ee3dcd88e084ef771f8
- https://github.com/api-platform/core/commit/cba3acfbd517763cf320167250c5bed6d569696a
- https://github.com/api-platform/core/releases/tag/v3.4.17
- https://github.com/api-platform/core/security/advisories/GHSA-428q-q3vv-3fq3
